New Relic One apps: Authentication, data access, permissions

This page contains details on authentication, data access, and user permissions for New Relic One applications. Topics include:

  • API key

  • Nerdpack unique ID (UUID)

  • Application access to data

  • User permissions

  • Details on how apps load in the browser

API key

To create a Nerdpack, you need a personal New Relic API key. To generate this key: open the Build a New Relic One application launcher in one.newrelic.com and select Get your API key. 

An API key is associated with both: 

  • The account under which it was created, AND

  • The user who created it. 

During a Nerdpack creation process, the nr1 profiles:add CLI command is used to associate the API key with a profile. To run, all Nerdpack CLI commands must be associated with a profile. A profile can be thought of as the identity under which you want to run a command. This can be helpful for users who have access to multiple New Relic accounts. 

Note on local development: To locally serve your app (nr1 nerdpack:serve), you must run the command with an API key that is associated with the user who initially created the Nerdpack. 

For more on authentication and profiles, see Authentication.

Nerdpack UUIDs

Every Nerdpack is identified by a UUID: a unique ID. This UUID is stored inside the Nerdpack’s package.json file, under the nr1.uuid key. The UUID is associated with the same New Relic account of the API key used to create the UUID.

To deploy a Nerdpack, you must be using the same account used to create the Nerdpack. This means that if someone wants to deploy a Nerdpack into an account that it wasn’t created under, they’ll need to assign the Nerdpack a new UUID using the nr1 nerdpack:uuid --generate CLI command. For security reasons, we don’t give you information about what account generated a Nerdpack’s UUID.

A Nerdpack’s UUID can be found by running the nr1 nerdpack:uuid CLI command.

App access to data

New Relic One provides a cross-account view that is valuable for organizations that have complex hierarchies with multiple New Relic master accounts and sub-accounts. Due to its cross-account nature, New Relic One has necessary rules for what accounts a New Relic One app can get data from, and for account/user permissions.  

The data accessible to your application is determined by the account hierarchy associated with the Nerdpack’s UUID. If an application was created by a user in a master account, then that app would have access to data from that master account and from any sub-accounts under that master account. 

Data access is determined by the account connected to the UUID; it's not determined by the API key used when serving or deploying an app.

To change the account data an app has access to, you’ll need to:

  1. Generate a new UUID (nr1 nerdpack:uuid --generate CLI command) to associate the Nerdpack with a new account (and account hierarchy). 
  2. Publish and deploy it. 
  3. Have users subscribe to the new Nerdpack. 

User permissions

When a Nerdpack is created, it generates a UUID tied to the personal New Relic API key of the user who created that Nerdpack.  The account under which the API key was created is considered the Nerdpack's "owner." 

Different CLI commands have different permission requirements, as shown in the table below:

Action CLI command Account scoping Nerdpack manager required?
Create nr1 create Account associated with API key of user running command becomes Nerdpack owner. No
Recreate Nerdpack with new UUID nr1 nerdpack:uuid Account associated with API key of user running command becomes Nerdpack owner. No
Locally serve Nerdpack nr1 nerdpack:serve API key used to run command must be associated with Nerdpack owner account. No
Publish Nerdpack nr1 nerdpack:publish API key used to run command must be associated with Nerdpack owner account. Yes
Get Nerdpack info nr1 nerdpack:info API key used to run command must be associated with Nerdpack owner account. No
Deploy Nerdpack nr1 nerdpack:deploy API key used to run command must be associated with Nerdpack owner account. Yes
Undeploy Nerdpack nr1 nerdpack:undeploy API key used to run command must be associated with Nerdpack owner account. Yes
Get deploy info nr1 nerdpack:info API key used to run command must be associated with Nerdpack owner account. No
Subscribe nr1 nerdpack:subscribe API key used to run command must be associated with Nerdpack owner account or one of its sub-accounts. Yes
Unsubscribe nr1 nerdpack:unsubscribe Account associated with API key used to run command is subscribed to Nerdpack. Yes

A New Relic user can see an application in New Relic One if any of their New Relic accounts (or a master account of one of those accounts) is subscribed to that application.

App loading in browser

Generally, you don't need to know how your application code is loaded in New Relic One. But understanding how this works can help you if you encounter issues (for example, with a proxy or browser setup). 

When developing, your code is served from your local laptop by using an nr-local.net subdomain. This domain points to 127.0.0.1, and will use a variety of ports to connect, including 9973.

In order to load third-party code into the platform, (both in development and production), New Relic One uses an <IFRAME>, as well as a separate domain (a subdomain of nr-ext.net) to perform the load, relying on same-domain policy to sandbox the code.

For this reason, your network administrator may need to enable access to:

  • Any subdomain of nr-local.net, or, at the very least, to any domain of the shape of <UserId>.nr-local.net, where UserId is a 32-hexadecimal character identifier that is unique to the user logged into the platform (you can use [0-9a-f]{32} to discriminate it).

  • Any subdomain of nr-ext.net, or, at the very least, to any domain in the shape of <NerdpackUuid>.g<NerdpackGid>.nr-ext.net, where NerdpackUuid is the UUID assigned to your package, and NerdpackGid is zero, or a positive integer (you can use 0|[1-9]\d+ to discriminate it).